The New York Times today reports that The Future of Privacy Forum, a D.C. think tank committed to promoting responsible data practices, has a pledge on offer to vendors in the K-12 space that use student information, including education records. Known as the “K-12 School Service Provider Pledge to Safeguard Student Privacy,” participating companies publicly commit to not use student data for advertising purposes or to compile student profiles unless authorized by schools or parents.
This pledge is every bit as relevant to higher education as it is to the K-12 sector. Perhaps one of our national associations would be best served to propose a similar pledge for cloud vendors in the higher education space? To do so would collectively eliminate the individual, ‘one-off’ nature of contract negotiations and the underlying hum of uncertainty colleges and universities face when selecting a cloud vendor for institutional information that is not in violation of privacy laws.
Here are some of the actions to which the Pledge holds signatories responsible:
Not to sell student information
No behaviorally target advertising
Use data for authorized education purposes only
Not to change privacy policies without notice and choice
Enforce strict limits on data retention
Provide comprehensive security standards
Be transparent about collection and use of data.
Do these provisions ring any bells? Yes! They reflect fair information practices, which are foundational principles of information privacy. Similarly modeled personal information privacy laws come to mind including FERPA, GLBA and HIPAA. These U.S. public privacy laws comport with basic privacy practices observed in all developed nations, which comprehensively apply to all personally identifiable information – as opposed to “sectors” or silos of information – as it does in the U.S.
Over the last few years, there has been a push to develop the minimum standards for data privacy and security in cloud computing contracts. Higher education is in a different place than it was in the vulnerable early years of cloud computing. Enterprise email and data storage cloud systems first emerged as a cost saver around the same time that the market tanked, university endowments sank, and titans such as Google and Amazon were at the height of their appeal. We signed lots of contracts without looking hard (or thinking twice) about vendor’s business model and the compliance information management needs of our campuses. Since then, college and university attorneys have revised contracts, inserted appropriate provisions, and attempted to educate campus constituents about the proper use of data.
But concerns continue. Only this year did the Gmail litigation discovery process reveal that Google had not turned off its data mining technologies for profiling purposes. This slight of hand revolved around Google’s promise to not show ads on enterprise systems that we heard as no data mining for business purposes.
In the dust-up, Google revised its enterprise apps Terms of Service to state that they would not collect data for advertising purposes. What is less clear is whether Google is still data mining for other business purposes. If the latter is true, then it is still a FERPA violation. FERPA allows for data mining only when used exclusively for the purpose of furthering the education of the student (for example, in tailored analytics for a learning process). It expressly disallows leveraging education records for furthering the vendors’ business purposes.
Google is not among the companies to sign the pledge, and that is no surprise. Anything that would challenge its business model, bring scrutiny to its algorithm, and openly admit that is continues to use data mining from enterprise contracts to improve its services is off corporate limits. The distinction lies here: the signatory companies – including Amplify, Capstone, Code.org, DreamBox Learning, Edmodo, Gaggle, Houghton Mifflin Harcourt, Knewton, Knovation, LifeTouch, Microsoft, and Think Through Learning – are NOT advertising companies. They offer content and services that do not rely on data mining as the principle means to fuel their business model.
To date, with its patent-protected algorithm, Google has remained two steps ahead of everyone else – competitors, vulnerable enterprise customers and even regulators, such as the Department of Education. But gradually, and at times inadvertently, such as in the Gmail litigation, chinks appear in the armor. Those chinks have consequences. For example, the Federal Trade Commission might be curious about deceptive practices. And for educational institutions, section 99.33(e) of FERPA, the vendor prohibition provision, is in question. It states: “if the Department determines that a third party, such as an SEA, does not notify the parent [or student … of a disclosure of their education record] as required, the agency or institution may not allow that third party access to education records for at least five years.” This sanction would make a significant dent in Google’s education market share and greatly diminish the reputation of a company that promises to “do no evil.”
How can Google get out from behind this suspicion? It can stop putting itself above the needs of the education community, K-20. For once, collaboratively identify a common goal – student privacy – that is of greater value in the long run than its bottom line today. And, finally, to set aside the suspicions that continue to rise about this company’s commitment to privacy, it should sign the pledge.